Configuring VTY Lines ACL

When it comes to mgmt traffic, you want to ensure that ONLY authorized host even have the ability to access the device. This lab will discuss and demonstrate the configuration and verification of applying an ACL to the VTY Lines.

Real World Application

In production networks it’s a common security policy to control remote administration to network devices using an access control list specifying only a particular administrative subnets and/or hosts on the network access to establish a remote exec session to the device for management.

This lab will teach you how to configure an ACL to control specific networks and/or host access to establish an exec session via VTY lines used for remote administration.

Lab Prerequisites

If you are using GNS3 than load the Free CCNA Workbook GNS3 topology than start devices start R1, R2, R3 and SW1.

Configure the IP address 10.1.1.1/24 on the FastEthernet0/0 interface of R1.

Configure the IP address 10.1.1.2/24 on the FastEthernet0/0 interface of R2.

Configure the IP address 10.1.1.3/24 on the FastEthernet0/0 interface of R3

Configure a local username and password on R1 with level 15 privileges which will be used to authenticate VTY exec sessions locally.

Configure R1 to accept both Telnet and SSH sessions.

Lab Objectives

Create a named extended access-list called VTY_ACCESS

Deny host 10.1.1.3 from accessing the vty lines via telnet.

Permit the network range 10.1.1.0/24 to use telnet or ssh

Deny all other traffic and log the denied attempted connections.

Configure the access-list on the vty lines using the access-class command.

Verify your configuration and connectivity using R2 and R3.

Lab Instruction

One of the biggest new management features of 12.3T and 12.4 mainline is the ability to use extended access-lists to permit particular traffic to establish an exec session to the vty lines of a Cisco device using a particular protocol; ie, telnet and/or ssh.

Step 1. – Configure a named access-list on R1 called VTY_ACCESS

R1 con0 is now available
Press RETURN to get started.
R1>enable
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list extended VTY_ACCESS
R1(config-ext-nacl)#

Step 2. – Deny host 10.1.1.3 from accessing the vty lines via telnet. In order to complete this objective you’ll need to specify the source as host 10.1.1.3 and destination as any eq telnet as shown below;

R1(config-ext-nacl)#10 deny tcp host 10.1.1.3 any eq telnet

Read Me

When traffic is destined to the control plane of the device, in an ACL it is represented as 0.0.0.0/0; AKA: any

Step 3. – Permit the network range 10.1.1.0/24 to use telnet or ssh. This objective will require two access list entries, one for telnet (tcp port 23) and one for ssh (tcp port 22) as shown below;

After verifying the access-list is correct, you can then test connectivity to R1 from R2 using Telnet and/or SSH. Keep in mind when you Telnet or SSH from a Cisco device it will use the IP address of the interface that traffic exits to get to that destination, in this case 10.1.1.2/24 as shown below by the show users command;

You can verify that telnet was indeed denied using the vty line ACL on R1 by executing the show access-list command in privileged mode. This will show you a hit count number beside each access control list entry;